Apache httpd 2.0.51 Released

Follow Slashdot stories on Twitter

Apache httpd 2.0.51 Released 15

Posted by timothy on Wednesday September 15, 2004 @04:25PM from the now-with-more-patch dept.

djh101010 writes "apache.org has announced version 2.0.51 of their webserver, which is a bug-fix (rather than a feature) release. There are 5 security vulnerabilities addressed by this release, so if you're using mod_ssl, IPv6, or a couple other things, it's worth taking a look at what was fixed."

This discussion has been archived. No new comments can be posted.

Apache httpd 2.0.51 Released

Load All Comments

Search 15 Comments Log In/Create an Account

Comments Filter:

mod_perl (Score:4, Interesting)

by embobo ( 1520 ) writes: on Wednesday September 15, 2004 @04:28PM (#10259745) Homepage

Is mod_perl 2.0 ready for prime time yet? Last time I checked--a few months ago--the core was there but the mp 1.x emulation didn't work very well and some important modules, e.g., Apache::AuthCookie weren't ported yet. I went back to 1.x.

Share
twitter facebook
- Re:mod_perl (Score:4, Informative)
  
  by djh101010 ( 656795 ) * writes: on Wednesday September 15, 2004 @05:43PM (#10260420) Homepage Journal
  
  Can't speak to 2.0; I'm still using 1.99_16 myself, which seems to be playing nice with 2.0.50 and I assume 2.0.51 (building now).
  
  Parent Share
  twitter facebook
  - Re:mod_perl (Score:2)
    
    by aled ( 228417 ) writes:
    
    Do we still need to recompile mod_*s with each new apache release or is the ABI stable enough to carry the binaries on?
    - Re:mod_perl (Score:2, Informative)
      
      by Anonymous Coward writes:
      
      ABI is generally stable enough. Be careful about just replacing httpd / libhttpd.so though - because some of the security / bug fixes are in modules (or in libapr.so / libaprutil.so) and not the core.
      
      Third party modules should march happily on without being rebuilt.
      
      An obvious exception might be modperl which provides substantial coverage of entry points, constant #defines and other aspects of the core itself. It also relies on 'expected results' from alot of edge functions which weren't widely used (and
Vuln list; is Apache 1.3 effected as well? (Score:5, Informative)

by molo ( 94384 ) writes: on Wednesday September 15, 2004 @05:00PM (#10260006) Journal

Here is the list of vulnerabilities. For more information (including a list of effected versions), see the Apache Week [apacheweek.com] listing.

Does anyone have any information about whether the mod_ssl DoS vuln effects Apache 1.3.x as well? Thanks. -molo

An input validation issue in IPv6 literal address parsing which can result in a negative length parameter being passed to memcpy.
[CAN-2004-0786]

A buffer overflow in configuration file parsing could allow a local user to gain the privileges of a httpd child if the server can be forced to parse a carefully crafted .htaccess file.
[CAN-2004-0747]

A segfault in mod_ssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured.
[CAN-2004-0751]

A potential infinite loop in mod_ssl which could be triggered given particular timing of a connection abort.
[CAN-2004-0748]

A segfault in mod_dav_fs which can be remotely triggered by an indirect lock refresh request.
[CAN-2004-0809]

Share
twitter facebook
- Re:Vuln list; is Apache 1.3 effected as well? (Score:4, Informative)
  
  by redwoodtree ( 136298 ) * writes: on Wednesday September 15, 2004 @06:52PM (#10260970)
  
  Apache 1.3 uses mod_ssl as an "add_on" . Their home page is at http://www.modssl.org/ It's a different workflow than apache 2.0. I don't see any updates there, so I assume that as of _this point in time_ ssl on 1.3.x is not impacted.
  
  Parent Share
  twitter facebook
Significant Opera problem fixed (Score:3, Informative)

by troon ( 724114 ) writes: on Thursday September 16, 2004 @03:22AM (#10263764)

I've yet to try it out, but this release claims to allow the administrator to unset the previously-mandatory Content-Location header added when mod_negotiation is in play.

This "feature" triggered an Opera "feature" that made in-document fragment anchors fail on dynamically generated, URL-rewritten documents.

Full description [plus.com] of the problem. Hopefully 2.0.51 means I don't need to fiddle with the Apache source any more: I'll update the problem page if so.

Share
twitter facebook
- Re:Significant Opera problem fixed: confirmation (Score:2, Informative)
  
  by troon ( 724114 ) writes:
  
  Yeah, it's fixed. You can now remove the Content-Location header, which works around the Opera "feature".
  
  Explanation page [plus.com] updated.
Apache security documentation (Score:1, Informative)

by Anonymous Coward writes:

http://www.cgisecurity.com/webservers/apache/ [cgisecurity.com]
Sidenote on the bugfixes (Score:4, Informative)

by agent dero ( 680753 ) writes: on Thursday September 16, 2004 @08:08PM (#10272832) Homepage

Here at Texas A&M, IBM just gave a talk to our ULUG (Unix & Linux UG) about a project they use called "BogoSec" where they can get rough estimations of source security.

The most drastic example of security problems was between vsftpd and wu-ftpd, but the presenter also showed some graphs for httpd 2.xxx releases, where the bugfix releases drastically improved the security.

Hoorah for bugfix releases, they're always good.

Share
twitter facebook
apache 2.0.51 (Score:2)

by pbranes ( 565105 ) writes:

I've been running this version on a box for a few days now and haven't seen any performance issues or outstanding bugs, so I would really recommend everyone upgraded asap.
blog [homeip.net]
Patch for Security Regression in Apache 2.0.51 (Score:2)

by dananderson ( 1880 ) writes:

There's a patch for the security regression in 2.0.51. See CAN-2004-0811 and Apache Week for 9/23/2004 [apacheweek.com] Another Apache release 2.0.52 is coming down the pike to fix this and some minor issues.
To quote ApacheWeek: One of the new features included in [Apache 2.0.51] is that a container can now be used to limit the effect of a Satisfy directive to specific methods. Unfortunately, a bug in the implementation meant that merging of Satisfy directives did not work correctly. The result was that if "Satisfy An
- Apache 2.0.52 now available (Score:2)
  
  by dananderson ( 1880 ) writes:
  
  Apache 2.0.52 is now available at Apache Mirrors, http://www.apache.org/dyn/closer.cgi/httpd/ [apache.org]
  Apache 2.0.51 is not even available, as 2.0.52 fixes the 2.0.51 regression.
  BTW, I have a document about using PHP and Apache2 at http://dan.drydog.com/apache2php.html [drydog.com]

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Apache httpd 2.0.51 Released 15

Apache httpd 2.0.51 Released More Login

Apache httpd 2.0.51 Released

mod_perl (Score:4, Interesting)

Re:mod_perl (Score:4, Informative)

Re:mod_perl (Score:2)

Re:mod_perl (Score:2, Informative)

Vuln list; is Apache 1.3 effected as well? (Score:5, Informative)

Re:Vuln list; is Apache 1.3 effected as well? (Score:4, Informative)

Significant Opera problem fixed (Score:3, Informative)

Re:Significant Opera problem fixed: confirmation (Score:2, Informative)

Apache security documentation (Score:1, Informative)

Sidenote on the bugfixes (Score:4, Informative)

apache 2.0.51 (Score:2)

Patch for Security Regression in Apache 2.0.51 (Score:2)

Apache 2.0.52 now available (Score:2)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot